Managing identities. TICAL 2012, Lima, Peru Roland Hedberg tisdag 3 juli 12

Transcription

1 Managing identities TICAL 2012, Lima, Peru Roland Hedberg

2 Who am I? Got into networking in 1987 Managed computer networks and network applications Worked with standardisation of directory technologies Software developer/senior researcher

3 Umeå, Sweden Latitude: 63 50' North Longitude: 20 15' East

4 Topics Why How Future

5 What s an identity?

6 What s an identity? The collective aspect of the set of characteristics by which a thing is definitively recognizable or known.

7 What s an identity? The collective aspect of the set of characteristics by which a thing is definitively recognizable or known.

8 What s an identity? The collective aspect of the set of characteristics by which a thing is definitively recognizable or known. A set of attributes and values

9 Why?

10 Historic progression late 80 A set of completely autonomous systems

11 1st transition LDAP mid 90 Some know how to use LDAP LDAP is populated manually

12 2nd transition 2007 Single-Sign-On ubiquitous in-house Extra info from LDAP SSO Metadirectory

13 3rd transition today Identity federations SAML Eduroam

14 IdPs over the world as seen from Norway

15 Driving forces 1st & 2nd transition Centralized cheaper than decentralized 3rd transition User convinience and economy of scale

16 Eduroam

17 Eduroam status 43 member NROs > 5300 service locations (Au, Nz) 250 M successful authn (~6% international) may april 2012 eduroam is ranked as 27th most widely used SSID (5th most frequent operator SSID)

18 Why! Enables trustworthy exchange of information between federations Reduces the costs of developing and operating services Improves the security and end-user experience of services Enables service providers to greatly expand their user base Enables identity providers to increase the number of services available to their users

19 How

20 SWAMID offers quality assured and secure identification of employees, students, alumni and other associated in higher education in Sweden, in the Nordic countries, in the rest of Europe and also in North America and Asia. The edugain service is intended to enable the trustworthy exchange of information related to identity, authentication and authorisation between the GÉANT (GN3) Partners' federations. InCommon provides a secure and privacy-preserving trust fabric for research and higher education institutions, and their partners, in the United States.

21 SWAMID offers quality assured and secure identification of employees, students, alumni and other associated in quality higher education assured in Sweden, in the Nordic countries, in the rest of Europe and also in North America and Asia. The edugain service is intended to enable the trustworthy trustworthy exchange of information exchange related to identity, authentication and authorisation between the GÉANT (GN3) Partners' federations. InCommon provides a secure and privacy-preserving trust fabric trust fabric for research and higher education institutions, and their partners, in the United States.

22 TRUST

23 Federation policies SWAMID Federation Policy v2.0 SWAMID Basic Identity Assurance Profile v1.0 SWAMID eduroam Technology Profile v1.0 SWAMID SAML WebSSO Technology Profile v1.0

24 Explicit trust Kantara Identity Assurance Framework (IAF) Common Organizational Service Assessment Criteria Operational Service Assessment Criteria

25 Trust in Security environment IdM checklist

26 Some outstanding issues

27 Problem of scale A few services has many users Many services has few users

28 Which identity provider to use? OpenID NASCAR problem Where Are You From (WAYF)

29 Attribute releases Specific for every Identity - Service provider pair Solution Service categories

30 Service examples

31 SWAMID coverage All universities with more than 1000 FTE students are part of SWAMID ~ 97 % of all students and employees

32 Studera.nu

33 NyA-webben Student administration Student admission system Base user urn:mace:swami.se:gmai:nya-dw:base:o=yy Department user urn:mace:swami.se:gmai:nya-dw: department:o=yy:noreduorgunituniquenumber=zzzz

34 Adobe Connect

35 BOX.COM Business agreement between SUNET and BOX.COM

36 Hospital contact

37 Foodl

38 Future

39 Non-web Project Moonshot is a JANET(UK)-led initiative, in partnership with the GEANT project and others, to develop a single unifying technology for extending the benefits of federated identity to a broad range of non-web services, including Cloud infrastructures, High Performance Computing & Grid infrastructures and other commonly deployed services including mail, file store, remote access and instant messaging.

40 The great divide Higher Education and public services SAML2 Social services OpenId/OAuth2/OpenId Connect

41 Conclusion Get your identity management in order Document and secure your IdM process Join the Identity federations